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Quantum protocols for coin-flipping can be composed in series in such a way that a cheating 
party gains no extra advantage from using entanglement between different rounds. This composition 
principle applies to coin-flipping protocols with cheat sensitivity as well, and is used to derive two 
results: There are no quantum strong coin-flipping protocols with cheat sensitivity that is linear in 
the bias (or bit-commitment protocols with linear cheat detection) because these can be composed 
to produce strong coin-flipping with arbitrarily small bias. On the other hand, it appears that 
quadratic cheat detection cannot be composed in series to obtain even weak coin-flipping with 
arbitrarily small bias. 



PACS numbers: 03.67.Lx 



I. INTRODUCTION 



Coin-flipping is the cryptographic problem where two 
mutually distrustful parties try to agree on a random 
bit. This is to be accomplished by sending sequential 
messages over a communication channel. 

The goal is that, if both players are honest and follow 
the prescribed protocol, they both output the same bit, 
which is uniformly random. The restriction is that, if ei- 
ther party is dishonest, then the bit output by the honest 
player must still be approximately random. The figure of 
merit for a coin-flipping protocol is the bias, defined as 
the maximum increase in the probabilities of the honest 
player's outputs that a cheating party can achieve. 

There is a weaker version of the above problem, where 
one party wants to obtain outcome zero, and the other 
party outcome one. This corresponds more closely to the 
colloquial idea of coin-flipping. In this case, the protocol 
need only prevent a cheater from biasing the coin in favor 
of his desired outcome. The two versions of the problem 
are known respectively as strong and weak coin-flipping. 

In the classical setting the problem is impossible with- 
out some additional restrictions on the computational 
power available to each party. Nonetheless, in the quan- 
tum setting, where the parties can process quantum in- 
formation and communicate over a quantum channel, the 
goal can be partially achieved. 

Ambainis and Spekkens and Rudolph have con- 
structed strong coin- flipping protocols with a bias e = ^ . 
However, it was proven by Kitaev (and summarized 
in Ref. 4j), that all quantum protocols for strong coin- 
flipping must have a bias of at least e=^ — |~0.21. 

Quantum weak coin-flipping is a little more promising. 
The best known protocol is by Spekkens and Rudolph 5] 
and achieves a bias of e = — ^ . The only known bound 

is due to Ambainis an d states that the number of 
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rounds must grow at least as f2(loglogi). In particular, 
to obtain arbitrarily small bias, we must have protocols 
with an ever increasing number of rounds. 

Unfortunately, analyzing quantum protocols with a 
large number of rounds is often difficult. One approach 
to obtaining a weak coin-flipping protocol with arbitrar- 
ily small bias could be to take a quantum coin-flipping 
protocol with a fixed number of rounds, and compose it 
in series with itself to obtain a better coin-flipping proto- 
col. It is well known that quantum coin protocols com- 
pose well in series, and an argument for this is given in 
Sec.HH 

Unfortunately, serially composing standard coin- 
flipping protocols does not decrease the overall bias [||. 
However, quantum mechanics is good at detecting state 
disturbance, and other deviations from a protocol. It 
is therefore possible to construct coin-flipping protocols 
with cheat sensitivity, where a dishonest player may be 
able to cheat by a significant amount, but only at the risk 
of getting caught by the honest player. Cheat sensitive 
protocols can produce improved coin-flipping protocols 
when composed in series under certain conditions. 

Quantum protocols with cheat sensitivity have been 
constructed by Spekkens and Rudolph .5] where players 
cheating by large amounts will get caught, but at least 
one party can bias the coin by a small amount without 
being detected. Aharonov et al. Q have a protocol with 
quadratic cheat detection on one side, but no cheat de- 
tection on the other side. Hardy and Kent Q devised a 
protocol where neither player may cheat by any amount 
without risking detection, but the functional form of the 
cheat detection was not determined, though it is known 
to be quadratic or worse. Functional forms of cheat de- 
tection were also discussed in Ref. 0- 

In the present paper, we will analyze the serial com- 
position of cheat sensitive coin-flipping protocols. We 
shall treat the cheat sensitive protocols as oracles or black 
boxes, with a cheat sensitivity that is given by a function 
of the target bias. This will lead to our two main results: 

In Sec. IIIII we show that quadratic cheat detection pro- 
tocols, where the probability of getting caught is propor- 
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tional to the square of the bias, are a fixed point of serial 
composition, at least to leading order. This means that 
no matter how many times the protocol is composed with 
itself, the amount of cheat detection remains approxi- 
mately the same. Because most known cheat sensitive 
protocols are quadratic or worse, this result is evidence 
that serial composition may not be useful to obtain weak 
coin-flipping. 

In Sec. II VI we show that linear cheat detection cannot 
exist for strong coin-flipping. This is done by compos- 
ing the linear cheat detection to obtain a strong coin- 
flipping protocol with arbitrarily small bias, in violation 
of Kitaev's lower bound. Note that the second result 
only uses serial composition as a tool for the proof, and 
the result holds for all cheat sensitive strong coin-flipping 
protocols. 

The result of Sec. IIVI also applies to bit-commitment, 
which is a cryptographic protocol related to coin-flipping. 
Coin-flipping can be constructed out of bit-commitment 
as follows: first Alice commits a bit to Bob, then Bob 
announces a random bit, then Alice reveals her bit and 
the coin outcome is the XOR of the two bits. Cheat de- 
tection as a function of e can be defined in a way similar 
to Ref. 0. For Alice, e is the amount by which she can 
change the probabilities associated with the committed 
bit, whereas for Bob, e is the additional probability of 
guessing Alice's committed bit correctly. Because lin- 
ear cheat detection in bit-commitment can be used to 
produce a strong coin-flipping protocol with linear cheat 
detection, it is also ruled out as a possible quantum pro- 
tocol. 



II. SERIAL COMPOSITION OF QUANTUM 
COIN PROTOCOLS 

Protocols for coin-flipping can be naturally composed 
in series to obtain new coin- flipping protocols. What 
is surprising at first is that quantum protocols for coin- 
flipping compose serially in such a way that a cheating 
party does not get any unexpected advantage by using 
entanglement. We shall prove this below, but let us first 
define carefully what we mean by unexpected advantage. 

Let V be any quantum coin-flipping protocol. At the 
end of the protocol each player will output one of {0, 1, C} 
where the last entry denotes the output when one player 
catches the other player cheating. Let us assume that 
Alice is honest and Bob is cheating. For each cheating 
strategy employed by Bob, there will be a triple of prob- 
abilities (Pq, Pi, Pc)t one for each of Alice's possible out- 
puts. Let SIaCP) be the set of all such attainable triples. 
Clearly (1/2, 1/2,0) <E VIa{V) since Bob can always play 
honestly. If the protocol does not allow Bob to fully bias 
toward 1 then (0, 1, 0) ^ ^Ia{V). Some protocols may not 
have any cheat detection, in which case Pc will always 
be zero. For honest Bob and cheating Alice there is a 
similarly defined Q,b{V). 

Assume we take the protocol V and run it many times 



in series. We are interested in proving that a cheating 
player, say Bob, does not obtain any extra cheating power 
by using entanglement between different rounds. That 
is, that for every round j, independently of previous out- 
comes and strategies used by Bob, any strategy that Bob 
employs will make Alice output based on a triple of prob- 
abilities in Q,a (V). 

Clearly Bob can vary his strategy in each coin-flip 
round, and even base his strategy on the outcomes of 
the previous coin-flips. However, when flipping TV coins 
in series, Bob cannot obtain an outcome of all ones with 
a probability greater than (Pi^ax)^, where Pi imax is the 
maximum value of Pi over any triple in Qa(V). 

The reason that quantum coin-flipping can be serially 
composed stems from the following conditions which are 
always imposed on coin-flipping protocols: 

1. There is always at least one honest party. 

2. The details of the protocol, which can be described 
in terms of fixed unitaries acting on a fixed initial 
state, are known to all parties. 

3. The protocol begins in an unentangled state, a con- 
dition which can be enforced by the honest party. 

The first condition arises because no constraint is im- 
posed on the case when both parties are cheating, and 
therefore the case never needs consideration. The third 
condition is always imposed to avoid trivial protocols, 
since establishing correlations is the goal of a coin- 
flipping procedure. 

The proof of composition is fairly simple. At the be- 
ginning of the k th round, the cheater will be unentangled 
from the honest player. The honest player has erased 
her Hilbert space and reset it to the initial state of the 
protocol. All that the cheating player has left over from 
the previous rounds is some quantum state in his Hilbert 
space. However, because the honest protocol is public, 
the cheating player knows exactly the state of his Hilbert 
space (which may be a mixed state, caused by the honest 
player erasing her Hilbert space). 

Now assume that he could, with the help of this state, 
force the honest player (say Alice) to output with prob- 
abilities not in ^a{P)- Then with the same state, he 
could obtain the same results in the first round or even 
when protocol V is used in a one-shot run, contradict- 
ing the definition of Qa(V). To put it another way, Bob 
can simulate in his private Hilbert space the first k — 1 
rounds and start playing the first round from that point, 
but this clearly can give him no extra advantage. 

The conclusion of this section is that, given a quantum 
protocol for coin-flipping, we may treat the protocol as 
a black box when composing it in series with itself (or 
even with other coin-flipping protocols) without worrying 
about entanglement between rounds. We shall use this 
fact to derive two interesting results. 
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III. QUADRATIC CHEAT DETECTION IS A 
FIXED POINT OF COIN-FLIPPING 

Because quantum coin- flipping composes in series, it is 
tempting to try to use a classical game layer on top of a 
known quantum coin-flipping protocol in order to reduce 
its maximum bias. That is, we wish to construct a two 
player classical game that uses the quantum coin as a 
black box. The game could be, for instance, flipping a 
coin N times, and the party that wins a majority of coin 
tosses wins the game. 

The ideal goal for this process would be to produce 
a weak coin-flipping protocol with arbitrarily small bias. 
While it is known that games built out of standard coin- 
flipping protocols can never reduce the maximum bias, 
the situation is different when cheat detection is avail- 
able. Especially in the case of weak coin- flipping, where 
an honest player may declare himself the winner if he 
detects the other party cheating, there are certain black- 
box protocols that can be used to produce arbitrarily 
small bias. The question is how much cheat detection is 
needed in order for successive compositions to improve a 
coin-flipping protocol? 

We will be interested in protocols with symmet- 
ric, monomial cheat detection. Let V be a protocol 
where both parties have equal cheating opportunities 
(i.e., n A (V) = VL B {V) = fl(V)) and such that all proba- 
bilities (P ,Pi,Pc) G n(P) have the form: 

= (l-P C )Q+e), (1) 

Pi = (l--Pc)Q-e), (2) 
P C > a\e\\ (3) 

which can be viewed as a function of a parameter e that 
is controlled by the cheating party. The constants a > 
and 6 > denote the amount of cheat detection. Strictly 
speaking, Pc should also be considered a second param- 
eter that can be controlled by the cheater, as he can 
always use a less optimal cheating strategy. In practice, 
a cheater will always minimize Pc for a given bias, and 
therefore we may assume equality in Eq. J3J|. We shall 
call the case 6=1 linear cheat detection, and the case 
6 = 2 quadratic cheat detection. 

When building games out of cheat sensitive coin- flips, 
the outcome of the entire game will be "cheating" if 
in any individual coin-flip a cheating outcome was ob- 
tained. To leading order in epsilon, the composite game 
will have a cheat sensitivity of the same form, with the 
same coefficient 6, but in general a different a. When 6 
is small, successive compositions increase a thereby pro- 
ducing a more cheat sensitive protocol, whereas in the 
large 6 regime composition has the opposite effect. We 
intent to prove in this section that 6 = 2 is a fixed point 
of coin-flipping. That is, for all possible games that use 
a coin with quadratic cheat detection as a black box, the 




FIG. 1: "Best two out of three" game tree. Binary nodes 
are labeled by the probability of winning for an honest player 
trying to obtain outcome 0. 

resulting protocol has exactly the same amount of cheat 
detection to leading order in epsilon. 

We begin by describing the set of all possible games 
that employ a cheat sensitive coin-flip as a black box. 
These can be put in correspondence with the set of bi- 
nary trees, where the leaf nodes are labeled by cither 
zero or one. For instance, the tree corresponding to the 
"Best two out of three" game is depicted in Fig.Q] Each 
binary node corresponds to a coin flip, with up corre- 
sponding to the outcome zero and down to the outcome 
one. The leaves are endpoints of the game and their la- 
bels correspond to the final game outcome at that node. 

Other examples of games that produce coin-flips in- 
clude "first outcome that is repeated N times" and "first 
outcome to occur a total of N times more than the other" , 
both of which correspond to trees of infinite length. Al- 
lowing for trees of infinite length also accounts for all 
games that have a tie outcome, after which the game is 
restarted. For trees of infinite length we impose the ad- 
ditional constraint that when playing honestly, the prob- 
ability of never reaching a leaf node is zero. 

Let x be a variable that ranges over the binary nodes 
of the tree. A general cheating strategy is a function 
e(x), which assigns a bias to each node where a coin- 
flip takes place. We also define p e (x) as the probability 
of arriving at node x given a cheating strategy e(x). In 
defining this quantity, we assume that if the cheater is 
caught at a given node, the game stops, thereby reducing 
the probability of arriving at the child nodes. In terms 
of these quantities we can write the total probability of 
getting caught: 

Pc.tot = 5> Pe (x)|e(x)| b . (4) 

X 

To leading order in e(x), we can replace p e (x) with the 
probability of arriving at the node in the honest protocol. 
This can be written as 2~ D ^ where D(x) is the depth of 
the node x, with the root node having depth zero. The 
formula becomes: 

Pc,tot=Y J a2 ~ D(x) \< x )\ h ■ ( 5 ) 

X 

To expand the total bias to leading order in epsilon, 
we only need to keep track of terms that are linear in 
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e(x), and can therefore disregard the multiplicative factor 
1 — Pq in the probabilities for obtaining zero or one. Of 
course, we are assuming b > 1 at this point, and will soon 
concentrate on b = 2. The probability of the cheater 
obtaining his desired outcome, and winning the game, 
satisfies a simple recursion relation: 



Pw(x) = ^{Pw(x v ) + P w (x 1 )) 

+e(x) (P w (x r ) ~ Pw{x 1 )) , 



(6) 



where P\y {x) is the probability of winning having arrived 
at node x, and x^ , x^ are the two children of node x. At 
the root node the probability of winning is 



Pw,tot = \+y, 2 ~ d{x) ^ x )<* 



(7) 



where A(x) = P\y(x^) — Pw(x^), which can be computed 
at this point from the honest probability of winning. 

The total bias for the game is given to leading order by 
|e fof | = Pw — 1/2, where we have excluded cases where 
the cheating benefits the honest player. For a given total 
bias, the cheater will choose e(x) to minimize the prob- 
ability of getting caught. The calculation to minimize 
Pc,tot under the constraint of fixed etot can easily be done 
using a Lagrange multiplier, to obtain the result: 



e(x) = sgn(AA(x)) 



AA(x) 



ab 



(8) 



where A is the Lagrange multiplier. We have allowed 
e(x) to range over the reals, but will show below that for 
quadratic cheat detection the optimal solution satisfies 
the requirement \e(x)\ < 1/2. 

To eliminate the Lagrange multiplier, we can substi- 
tute the expression for e tot into the expression for Pc,tot 
to obtain: 



Pc,, 



etot 



where 



1-6 



j22- D(x) \A(x)r- 



(9) 



(10) 



For the case 6 = 2, the following lemma shows that 
anew = a for all game trees: 

Lemma: For all game trees as described above, we have 
the equality 



^2- D WA( 1 ) 2 = l. 



(11) 



The lemma can be proven using a simple combinatorial 
argument that is presented for the interested reader in 
the appendix. 

From Eq. JSJ we see that for b — 2, the amount of 
cheating at node x is proportional to A(x). The constant 



of proportionality, as well as the Lagrange multiplier, are 
fixed by Eq. J7J. After eliminating a factor of 1 using 
the above lemma we obtain that the optimal strategy is 
e(x) = \e to t\A(x). This satisfies the intuition that the 
cheater will choose a larger bias on coin-flips that are 
more consequential. Furthermore, because |A(ir) < 1, 
we have shown that the optimal strategy is achievable 
(i.e., \e(x)\ < 1/2 for every x) whenever |e tot | < 1/2. 

For other values of b near two, we can consider the 
derivative of a new with respect to b. For any fixed graph, 
this derivative is negative. The conclusion is that for 
every graph, serial composition of b < 2 cheat detection 
leads to improvement to lowest order, whereas in the b > 
2 case the cheat sensitivity worsens. 

The above results complete our argument that 
quadratic cheat detection is a fixed point for coin- 
flipping. The argument is only valid in the regime where 
all biases, including the total bias, are small. Unfortu- 
nately, because a protocol producing weak coin-flipping 
with arbitrarily small bias would have to employ arbi- 
trarily large trees, it is not sufficient to simply take the 
small bias limit on a fixed tree. 

In essence, associated with each weak coin-flipping pro- 
tocol there is a function Pcifi) indicating the minimum 
probability with which a party will get caught cheat- 
ing if they try to bias the coin by e. Composing this 
protocol in series one obtains a new protocol with func- 
tion Pc,tot(etot)- That is, serial composition with a given 
game tree induces a map from the set of functions Pc{c) 
to itself. We have shown that, independent of the tree, if 
the original function behaves as ae 2 for small e, then so 
will its image. 

The fact that the coefficient of the quadratic term re- 
mains fixed under the map induced by every game tree 
is a peculiar and interesting feature. It is indicative that 
serial composition of quadratic cheat detection may not 
be useful for producing weak coin-flipping with arbitrar- 
ily small bias. However, further research in this direction 
is needed in order to conclusively settle the issue. 



IV. NO-GO THEOREM FOR LINEAR CHEAT 
DETECTION 

In this section we shall switch gears and focus on serial 
composition of linear cheat detection protocols. We shall 
prove that linear cheat detection can be serially com- 
posed to produce not only weak coin-flipping but also 
strong coin-flipping with arbitrarily small bias. Because 
of Kitaev's bound (discussed in Ref. 41j), the result in 
this section proves that a strong coin-flipping protocol 
with linear cheat detection cannot exist. 

The result of this section only applies to strong coin- 
flipping schemes with cheat sensitivity as described in 
Eq. J3J). An alternative not covered by the proof in this 
section is the case where Alice can force outcome 1 (and 
Bob can force outcome 0) without getting caught, which 
corresponds to cheat sensitive weak coin-flipping. Be- 
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cause weak cheat sensitivity can be simulated by strong 
cheat sensitivity, the result of the previous section applies 
to weak cheat sensitivity as well. However, the opposite 
is not true, and the results of the present section do not 
apply to linear cheat sensitivity in weak coin-flipping. 

Since strong coin-flipping can be constructed out of bit- 
commitment, the result of this section can also be applied 
to cheat sensitive bit-commitment protocols. In fact, the 
only known coin-flipping protocol, where neither side can 
cheat by a finite amount without getting caught, is de- 
scribed in Ref. 0, and is a strong coin- flipping protocol 
that is constructed out of bit-commitment. 

For the proof of the above statements, we assume the 
existence of a quantum protocol V described by Eq. @ 
with b — 1 and some non-zero a. We shall describe a 
game, that uses V as a black box, which achieves strong 
coin-flipping with bias that becomes arbitrarily small in 
the limit of a game parameter N — * oo. Though, for 
the purposes of comparing against Kitaev's bound, it is 
sufficient to allow honest players to output "cheat" at the 
end, we will construct the game so that the honest player 
always outputs one of the outcomes zero or one. 

The game is the random walk on a 1-D line, starting 
from the origin, using the coin provided by V . The game 
ends with the first arrival at one of the two sites ±N, 
with the right end corresponding to the outcome zero, 
and the left end to one. 

If one party detects cheating, they will continue the 
game using a private fair coin, and output according to 
the outcome of the game. Let z e {— N, . . . , N} be a 
variable that runs along the line. If cheating occurs when 
the game is at z, then the honest players can simply 
output using P = {N + z)/2N and Pi = (N-z)/2N. In 
essence, the only deterrent to the cheater is that he may 
be able to cheat more effectively in a future round. Note 
that the honest party cannot just flip a balanced coin 
after detecting cheating because in this case the cheating 
party would only cheat when he is about to lose. 

Because the honest player keeps no state beyond the 
current location along the line, z, there is an optimal 
cheating strategy where the bias only depends on z. That 
is, we only need to consider functions e(z) when maximiz- 
ing over cheating strategies. 

We assume that the cheating player is trying to bias 
toward zero (i.e., the right side). We can then define the 
function W e (z) to be the probability of winning starting 
from node z, using biases e(z). The function is similar 
to Pw defined in the previous section, except that we 
are now using large biases, which cannot be ignored in 
calculating the probability of winning. 

The function has the constraints W e (N) = 1, 
We(-JV) = and 



W e (z) = P (e(z))W(z + l) 

, . NN N + z 



+ P 1 (e(z))W(z-l) 



(12) 



Clearly, for optimal strategies, W e (z) > (N + z)/2N for 
all z because the cheating party can always play honestly. 



The value of We(0) is simply the probability of win- 
ning the entire game. The cheater will chose e(z) 
in order to maximize W e (0). We shall prove that 
max [W e (0) - 1/2] -> as N -> oo. 

The analysis is made easier by using a modified black 
box protocol V' with achievable probabilities of the form: 



Po 

Pi 
Pc 



1 

2 " 
1 

2 " 

ae, 



(l + o)e, 



(13) 

(14) 
(15) 



for < e < e max where e max = 1/(2 + 2a). For every e, 
protocol V gives the cheater a slightly higher probability 
of obtaining the desired outcome than with protocol V . 
Therefore, any bounds on cheating obtained using V' as 
a black box will apply when using V instead. 

Consider using V' and varying independently each of 
the nodes of the complete game tree. The bias e(x) of 
each node enters linearly into W^ e (0), which can be maxi- 
mized by letting the biases take only the boundary values 
of or e max . As discussed above, the optimal biases will 
depend only on the corresponding value of z, and there- 
fore we need only consider functions e(z) which take val- 
ues in {0,e max }. 

The maximization is now easy to analyze. Define 
8(z) = W e (z) — (N + z)/2N, which is the extra prob- 
ability of winning that the cheater is getting at position 
z. We shall prove below that 



S(z + 1) < 



2aN 



8{z) < 



2aN 



(16) 



If e(z) = e max the above statement is true because 
Eq. states that: 



8(z) 



1 

2 +e 
2 + a 
2 + 2a 



5(z + l) 
2- 



S(z + 1) - 



1 

2N / 
a\ 2 



(17) 



2aN 



2aN 



On the other hand, if e(z) 
that: 



then Eq. JTJJ states 



5(z + l)-S(z) = 6(z)-6(z-l), 



(18) 



that is, 8 has a constant slope around z. If for all z' < 
z we have e(z') = 0, then the slope must be constant 
through this entire region. Since 8(—N) = 0, the slope 
can only be negative (i.e. increasing toward the left) if 
S(z) < 0, which proves Eq. (|16fl for this case. Otherwise, 
let z' < z be the largest integer such that e(z') = e maa; . 
Again the slope must be constant from z', in which case, 
by Eq. (fT%| the slope can only be negative if S(z') < 
(2 + a)/2aN which implies 8(z) < (2 + a)/2aN. 

Having proven Eq. I|16l) . and using the initial case 
S(N) — 0, we have shown 



e t ot = W e (0) 



5(0) < 



2 + a 
2aN ' 



(19) 
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which can be made arbitrarily small by taking the limit 
N -» oo. 

The game described in this section shows that a strong 
coin-flipping protocol with linear cheat detection can be 
serially composed to obtain a strong coin-flipping proto- 
col with arbitrarily small bias. The conclusion is that 
quantum strong coin-flipping protocols with linear cheat 
detection cannot exist. 
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APPENDIX A: PROOF OF LEMMA 



V. CONCLUSIONS 

Using serial composition of coin-flipping we have es- 
tablished an upper bound on the amount of cheat de- 
tection possible in quantum protocols for coin-flipping 
and bit-commitment. We have also presented evidence 
that serially composing quadratic cheat sensitive proto- 
cols does not lead to an improvement in the amount of 
cheat detection. We speculate that quadratic or worse 
cheat sensitivity (b > 2) cannot be composed in series to 
obtain weak coin-flipping with arbitrarily small bias. We 
also speculate that cheat detection better than quadratic 
(b < 2) does not exist for bit-commitment or strong coin- 
flipping, and probably not for weak coin-flipping cither. 

Nevertheless, linear cheat detection in weak coin- 
flipping remains an open, though unlikely, possibility. In 
fact, by serially composing weak coin-flipping with lin- 
ear cheat detection, it is not hard to show that one can 
construct a weak coin-flipping protocol with a bias of 
exactly zero. The apparent contradiction with the re- 
sult of Lo and Chau is resolved by noting that they 
only considered protocols with a fixed number of rounds. 
However, there are protocols where the number of rounds 
is variable and possibly arbitrarily large (a good classi- 
cal example is rock-paper-scissors), while still having a 
zero probability of going on forever. For these protocols 
the measurements cannot be delayed to the final round, 
and therefore the analysis of Lo and Chau does not ap- 
ply. These protocols can always be truncated to a finite 
number of rounds, though, at the cost of allowing an ar- 
bitrarily small bias. 

Other questions that remain open include: What hap- 
pens to serial composition of quadratic cheat detection 
in the large bias regime? What can be said for other 
functional forms of cheat detection versus bias, includ- 
ing cases where one party may be a able to cheat by a 
small amount without getting caught? And of course, 
the main question — whether or not weak coin-flipping 
with arbitrarily small bias can be achieved as a quan- 
tum protocol — remains unresolved. 
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Let T be a binary tree. We will use the variable x to 
denote a binary node of T and y to denote a leaf. 

Associated with T there is a function Pw(y) on the 
leaf nodes which takes the values zero or one. The func- 
tion can be extended to the rest of the nodes by defining 
Pw(x) as the average of the function on its two descen- 
dants. In terms of coins, Pw is simply the probability of 
winning when playing honestly starting from the given 
node. The function corresponds to the coin outcomes on 
the leaf nodes if the goal is to obtain 1, and otherwise the 
coin outcome is 1 — Pw{y). To obtain a fair coin toss, we 
require that Pw equal 1/2 on the root node. Otherwise, 
the function and the tree are arbitrary. 

We also arbitrarily label the two outgoing edges from 
each binary node as up and down, and define A(x) — 
Pw(x V ) ~ Pw{x l ). Finally, let D(x) be the depth of 
node x, with the root node having depth zero. 

Lemma: Given a tree T and function Pw as described 
above, the following equality holds: 



-D(x) 



A(x) 2 = 1. 



(Al) 



Proof: A (a;) is a linear combination of Pw{x) on its de- 
scendants, which in turn is a linear combination of Pw(y) 
on the leaf nodes. Therefore the left-hand side of the 
above equation is a quadratic polynomial of Pw{y)- 

Fix a leaf node y. The function Pw{y) only appears 
in A(a;) if y is a descendant of x, in which case it has a 
coefficient of ±2 D ^)+ 1 - D (v). The coefficient of P w (y) 2 
in this polynomial is therefore given by 

^2 2~ l 2 2{i+1 - D{y)) = 2 2{1 ~ D{v)) (2 D(y) - . (A2) 

2 = 

Fix a second leaf node y' ^ y. Let x' be the unique node 
that has y as a descendant along one branch and y' along 
the other. The coefficient of Pw(y)Pw(y') is 



D(x')-l 

2- i+2( - i +v- D (y'>- D (y") 



_ _23-D(y)-D(y') 



2 D(x')-D(y)-D(y')+3 



(A3) 



where the only negative term is contributed by A(x'). 
Note the extra factor of 2 accounting for the double oc- 
currence of Pw{y)Pw{y')- 
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Combining these results, the left-hand side of Eq. (|A1|) 



is 



4j2 2 ~ D{v)p w(y) 2 -4 



n 2 



(A4) 



node, which must equal 1/2. The left summand can be 
simplified by using Pw(y) 2 = Pw{y), in which case it can 
also be written in terms of Pw at the root node. We have 
shown that the left-hand side equals 4(1/2) -4(l/2) 2 = 1 
as desired. □ 



Note that the factor in brackets is just Pw at the root 
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